New Features - Centrify Application Services (formerly known as Identity Services)
Conditional Access for Endpoints and Infrastructure
Improved interaction with Infrastructure Services and Endpoint Services.
- Previous support was always on MFA
- Now supports conditional access / adaptive MFA
Customization of SMS Messages
Added support for customization of SMS messages.
- MFA Challenge
- MFA Challenge for RADIUS
- Device Enrollment
Includes new “tiny URL” support.
- Reduced URLs from variable length of ~100 characters to 36 characters
Easy to customize in any of the supported languages.
Old SMS with long URL
17.11 New SMS with short URL
FIDO U2F Support
Added support for FIDO Universal 2nd Factor:
- Users can now self-register their U2F Security Keys
- Once registered, users can use these keys as an authentication mechanism.
Support for Multiple AWS Root Accounts
Updated Browser Extension and App template to support logging into multiple AWS Root Accounts.
- Template update: new field for Account ID
- Browser Extension update: now detects if you are logged in to AWS, and will log you out in order to log into the correct account
Active Users Dashboard Widget
Easy for Admins to find out how many user licenses they are using.
- Overview Dashboard now contains “Active Users” widget
Active Users = users who have authenticated through the service in the last 30 days.
Updates to OAuth (Preview)
Several enhancements to our OAuth implementation:
- Scopes now defined in-line in the OAuth App
- Settings menu for Scopes has been removed
- New OAuth Client App
- Ability to get Bearer Token for Client app
- Ability to generate Password for Confidential Clients
- Bonus feature – this is available for setting the password for ALL users
New Features - Centrify Endpoint Services
Password Checkout for Managed Local Admin Account (Mac)
Admins retrieving the LAPM password are now checking out the password:
- Password is rotated based on time interval in policy
- UI will change from "get" to "checkout" in 18.1
- Tip: use Password Generation Profiles to simplify the LAPM Password
Derived Credentials integration with Intercede MyID
You can now use Intercede MyID for Derived Credentials.
- Enabled via Policy
- Intercede libraries compiled into Centrify's iOS and Android apps
- Scan QR code to add Intercede MyID Derived Credential
- Both Intercede and Centrify's Derived Credential can be on the device together
- Removing the need for an entitlement to enable Derived Credential
The following apps have been added to the catalog:
- SpaceIQ (SAML)
- Constant Contact (User/Password) – re-added
The following apps have been updated:
- Amazon Web Services Console for IAM Users (User/Password)
- JIRA (SAML)
- Box (SAML+Provisioning) – documentation update only
- FedEx (User/Password)
- G Suite (SAML+Provisioning) – documentation update only
- Humanity (SAML) – documentation update only
- Zoom (SAML) – documentation update only
- Zoho (SAML) – documentation update only
The following apps have been removed:
New Features - Centrify Infrastructure Services (formerly known as Privilege Service)
Core Services Changes – Login Policies
- Policies – 17.11 changes:
- Login Policies
- Portal Policies are now separate
- (New) UNIX and Windows Servers section
- (New) Windows Workstations section
- (New) Privilege Elevation Policies
- Changes the way MFA is set up
- Provides flexibility and future capabilities
- E.g. challenge for MFA only on weekends and outside business hours
- Existing customers:
- An “Auto generated” policy will be created automatically on first use
Active Directory - Automatic Account Maintenance
- Prior to 17.11, the target AD account password was used for SAPM operations
- Earlier this year, we introduced the Active Directory administrative account to support operations (unlock, zone role)
- Starting with 17.11, a new Policy is introduced: “Automatic Account Maintenance using Administrative Account"
- When enabled, CPS uses the Administrative Account for SAPM operations
Note: This policy has to be explicitly turned on.
- This greatly simplifies the process of adding AD accounts to Privilege Service
In this release, we introduce a new domain permission “Add Account.”
This permission is required for CPS administrators that have to add managed or unmanaged Active Directory account passwords into CPS.
Existing users (even if they have the Privilege Service Administrator entitlement) will not be able to add Active Directory accounts until they explicitly add the permission under the target domain’s permissions tab.
New Features - Centrify Analytics Services and SIEM
Behavior-based access control for Server Access (Alpha Release)
- Centrify Infrastructure Services Standard / Enterprise Customers can:
- Enable Behavior-based access control for every server access – login / privileged elevation
- Easily understand Server Access within their Enterprise (with Insights)
- Identify anomalous (with Explorer) Server Access based on past behavior on:
- Time, Command, Target Server, Account, etc.
- Forward Centrify Audit Events to Analytics Service via Centrify Sensor
Centrify Identity Platform Splunk Integration (Beta Release)
- Centrify Syslog Writer
- Easy to install Docker container that works on Windows Server 2012, RHEL 6, RHEL 7
- Gets Centrify Identity Platform access events (App Launches, Portal Access etc.) and forwards to a Syslog Server
- Centrify Identity Platform Splunk Add-On
- Normalizes Centrify Identity Platform events in Splunk
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- A maximum of 20 devices may now be enrolled for each user. This is only enforced at enrollment time, so any devices already enrolled are unaffected (CC-53044).
- This release adds support for FIDO U2F authentication, however this is only supported natively on Chrome and Opera (CC-50450).
- When capturing an app using the browser extension for Firefox, it is now possible to specify additional fields (CISSUP-3460, CC-52619).
- Launching JIRA with IdP-initiated SSO now functions correctly (CC-52788).
- It is now possible to search for an app in the User Portal simply by typing its name. Hitting enter launches the app if there’s only one search result (CC-42822).
- With Safari 11 on a Mac, it is now possible to expand the Provisioning Script panel in the Provisioning tab (CC-52399).
- The email notification results from OATH token bulk import have had duplicates removed and are now accurate (CISSUP-3492, CC-52975).
- When uploading a certificate for a SAML application, the newly uploaded certificate is automatically selected for the app (CC-47919).
- Users are now de-provisioned correctly from custom SAML apps that use SCIM for provisioning (CC-52473).
- When using MFA, bad passwords are now logged as events when a password is the first challenge and the user failed to complete other challenges (CISSUP-3456, CC-52627).
- Revised, more intuitive UI for providing a date range for report generation (CC-52522).
- Users that are created and added to a provisioning role before any invitation has been sent by the admin are no longer shown as having a last invite date/time (CISSUP-3495, CC-52937).
- The policy summary no longer shows an Organizational Unit (OU) when no longer using device policy management Active Directory policy (CC-52252).
- When using App Store apps purchased under a Volume Purchase Plan (VPP), license details are now shown for apps from all app stores, not just the US (CISSUP-3427, CISSUP-3079, CC-52356).
- The option “Do not de-provision (deactivate or delete) users in target application when the users are removed from mapped role” is now checked by default for all provisioning apps (CC-51904).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.